Project Description:Windows binary malware has come a long way. Today's average worm is often tens or hundreds of kilobytes of code exhibiting a level of complexity that surpasses even some operating systems. This degree of complexity, coupled with the overwhelming flow of new malware, calls for improvements to tools and techniques used in analysis.

The authors focused greatly on graph theory to aid the analysis of these viruses. They use a series of tools for reverse engineering malware such as: IDA - the Interactive DisAssembler, IDAPython - Python extension for IDA, and pydot - Python interface to Graphviz utilities. IDAPython and pydot were developed by the authors and released as open source. The resulting graphs are done by exploring the code of a malware sample looking for all the functions and the relationships between them (who calls who). This information, together with text references, are then exported using pydot into a format that Graphviz utilities can read.

These two images illustrate a comparative analysis between two viruses, respectively, Netsky.AD (first image) and Buchon (second image).

Comments (1):

superr

Posted byeldar18on Apr 27, 2008 at 12:32 PM (GMT)

*Note* Before you submit your comment, bear in mind there's no guarantee it will be seen by this project's author. In case you want to contact the author directly, please follow the provided URL.

Leave a Comment:

* COMMENTS HAVE BEEN TEMPORARILY DISABLED *
(We're looking for the best solution to avoid unwanted SPAM)